The US cybersecurity agency CISA on Wednesday warned that a recent absolute path traversal vulnerability in Nakivo Backup and Replication has been exploited in the wild.
The issue, tracked as CVE-2024-48248 (CVSS score of 8.6), is a high-severity bug that could allow attackers to execute arbitrary code remotely within enterprise environments, a NIST advisory reads.
“This vulnerability allows attackers to read arbitrary files on the affected system without authentication. Exploiting this vulnerability could expose sensitive data, including configuration files, backups, and credentials, potentially leading to data breaches or further security compromises,” Nakivo notes in its advisory.
In late February, cybersecurity firm watchTowr, which reported the flaw, published a technical report explaining how it found the bug and how it allowed them to access any file on the server and to obtain the credentials used by Nakivo’s backup and disaster recovery solution.
Because the product supports a broad range of integrations within an organization’s environment, including cloud services, the flaw could potentially allow an attacker to unlock “entire infrastructure environments”, watchTowr says.
The cybersecurity firm reported the flaw in September 2024 and received confirmation on the bug in late October. Nakivo silently patched the security defect in November, in Backup and Replication version 11.0.0.88174, without mentioning CVE-2024-48248 in its release notes.
Nakivo has since updated the release notes to reference the vulnerability and, on March 6, published its own advisory, although watchTowr says it obtained the CVE for the bug on October 18.
Also on March 6, Plugin Vulnerabilities reported that the MITRE CVE Program entry for CVE-2024-48248 was still empty, and that the first exploitation attempts targeting the flaw were observed in the wild.
On Wednesday, CISA added the issue to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the available patches by April 9, as mandated by Binding Operational Directive (BOD) 22-01.
The cybersecurity agency also warned of the in-the-wild exploitation of CVE-2025-1316, an unpatched Edimax camera bug that has been exploited as a zero-day since at least May 2024, and CVE-2017-12637, a directory traversal flaw in SAP NetWeaver that has been exploited since August 2017.
Although BOD 22-01 only applies to federal agencies, all organizations are advised to identify within their environments any products impacted by the security defects in CISA’s KEV list and to apply the available mitigations as soon as possible.
Related: Paragon Spyware Attacks Exploited WhatsApp Zero-Day
Related: Exploitation Long Known for Most of CISA’s Latest KEV Additions
Related: DrayTek Vulnerabilities Added to CISA KEV Catalog Exploited in Global Campaign
Related: Faster Patching Pace Validates CISA’s KEV Catalog Initiative
